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United  States  (U.S.)  cyberspace  is  not  secure,  and  this  lack  of  security  leaves  the  nation 
vulnerable  to  cyberattack  from  a  variety  of  sources.  Successful  cyberattacks  have  had,  and 
may  continue  to  have,  negative  results  with  strategic  implications.  Until  now  cyberspace  has 
existed  with  relatively  unregulated  access.  However,  as  the  reliance  on  cyberspace  grows,  the 
subsequent  requirement  for  security  also  grows  with  it,  and  we  must  now  take  at  least  the 
minimum  necessary  measures  to  better  secure  it,  or  continue  to  suffer  the  consequences  of 
computer  attacks  from  a  variety  of  threats.  The  U.S.  Government  must  first  set  the  example  by 
securing  itself,  and  then  move  to  bring  industry  into  compliance,  preferably  through  consensus, 
but  if  necessary,  through  regulation  or  legislation.  While  government  should  display  the 
necessary  leadership  in  this  arena,  industry  has  the  great  majority  of  the  nation’s  infrastructure, 
and  therefore  will  bear  the  largest  burden.  Finally,  individual  users  must  take  a  more  active  role 
in  securing  their  small  part  of  cyberspace.  All  three  have  a  key  role  in  securing  American 
cyberspace  in  order  to  prevent  a  potential  "digital  Pearl  Harbor"  or  "electronic  September  1 1 " 
from  ever  occurring. 
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SECURING  AMERICAN  CYBERSPACE:  A  STRATEGIC  NECESSITY 


There's  been  speculation,  even  before  September  11,  about  the  U.S.'s 
vulnerability  to  an  “electronic  Pearl  Harbor”  or  a  cyberterrorist  attack.^ 

U.S.  cyberspace^  is  not  secure,  and  this  lack  of  security  leaves  the  nation  vulnerable  to 
cyberattack  from  a  variety  of  sources.  Successful  cyberattacks  have  had,  and  may  continue  to 
have,  negative  results  with  strategic  implications.®  Therefore,  this  paper  has  three  purposes; 
first,  to  define  the  cyber  threat;  second,  to  analyze  why  the  U.S.  is  vulnerable  to  cyberattack  and 
the  reasons  we  are  still  susceptible  to  attacks;  and  finally,  to  recommend  potential  solutions  for 
improving  the  nation’s  cybersecurity. 

THE  THREAT 

Three  major  threats  to  American  cyberspace  exist  today:  cybercrime,  cyberterrorism,  and 
state-sponsored  cyberattacks.  Cybercrime  is  criminal  activity  conducted  in  cyberspace;  that 
activity,  whether  intentionally  or  unintentionally,  which  directly  attacks  another  computer, 
information  system,  or  network,  causing  them  to  be  disrupted,  their  services  denied,  or  in  the 
worst  case  causing  equipment  damage  or  loss  of  services  to  the  user  of  the  system.  Specific 
examples  are  hacking,  website  defacements  (cybervandalism,)  and  cyberfraud  (i.e.,  stock 
manipulations  or  illegal  bank  account  “break  ins”).  However,  the  historically  most  dangerous  is 
malicious  code,  of  which  the  computer  virus with  its  variants  the  worm  and  T rojan  horse,  is  the 
best  known.  Cybercrime  has  cost  government  and  business  billions  of  dollars.® 

Cyberterrorism  has  received  a  lot  of  more  attention  since  September  1 1 .  According  to  the 
Federal  Bureau  of  Investigation,  cyberterrorism  is  any  "premeditated,  politically  motivated  attack 
against  information,  computer  systems,  computer  programs  and  data  which  results  in  violence 
against  non-combatant  targets  by  sub-national  groups  or  clandestine  agents."®  A  big  fear  is  that 
a  cyberterrorist  could  shut  down  the  Internet,  causing  significant  damage  to  the  economy  (not 
unlike  the  physical  attacks  of  September  1 1 ),  as  well  as  attack  key  infrastructure  such  as  oil, 
gas,  power,  and  emergency  services.^ 

State-sponsored  threats,  using  cyberattack  as  a  form  of  asymmetric  warfare,  in 
conjunction  with  direct  physical  attacks,  are  of  even  greater  concern.  Asymmetric  warfare  is 
“anything  that  encompasses  anything — strategy,  tactics,  weapons,  personnel — that  alters  the 
battlefield  to  negate  one  side  or  the  other’s  advantages.”®  Because  the  U.S.  is  a  superpower 
today  without  a  military  peer  adversary,  no  potential  enemy  since  the  end  of  the  Cold  War  has 
demonstrated  the  ability  to  compete  in  a  face-to-face  conventional  or  “symmetrical”  battle. 


Therefore,  the  U.S.  can  expect  that  future  enemies  will  attack  using  asymmetric  threats,  such  as 
computer  espionage  and  direct  cyberattack,  clandestinely  launched,  possibly  through 
sympathetic  cyberterrorists  or  mercenary  hackers  in  their  employ.  While  there  is  much  debate 
over  whether  a  nation  can  be  brought  to  its  knees  via  cyberattack,  the  second-  and  third-order 
effects,  when  synchronized  in  coordination  with  physical  attack,  could  be  devastating.  At  the 
very  least  they  could  hamper  response  times  and  the  ability  to  recover  from  a  military  or  terrorist 
assault.  The  consequence  of  such  a  combined  attack  might  prove  more  devastating  as  its 
effects  ripple  through  the  global  economy. 


THE  VULNERABILITY 

Compelling  evidence  shows  that  American  cyberspace  is  not  fully  secured.  The  Carnegie 
Mellon  Software  Institute’s  CERT  (Computer  Emergency  Response  Team)  Coordination  Center 
is  recognized  as  a  leader  in  computer  network  defense.®  Its  website  lists  the  total  number  of 
reported  computer  network  attack  incidents  in  its  1 5-year  history  starting  in  1 988  and  extending 
through  calendar  year  2003  (see  Figure  1  below).  Since  1 988  there  have  been  31 9,992 
reported  incidents  of  computer  attack  in  various  forms.  The  website  states  that  each  “incident 
may  involve  one  site  or  hundreds  (or  even  thousands)  of  sites.  Also,  some  incidents  may 
involve  ongoing  activity  for  long  periods  of  time.”  In  2003  alone  there  were  1 37,529  incidents. 
This  is  over  42%  of  all  reports  ever.  Compared  to  the  82,094  reported  in  2002,  this  is  an 
increase  of  almost  75%  over  the  year  before.  When  compared  to  the  21 ,756  reported  incidents 
of  2000,  this  further  represents  a  greater  than  600%  increase  in  reported  attacks  since  the  Bush 
administration  entered  office.  The  Department  of  Defense  (DOD)  alone  defended  itself  from 
over  50,000  reported  attacks  in  2002.^® 
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FIGURE  1 .  REPORTED  COMPUTER  ATTACK  INCIDENTS  1 988-2003 
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The  government  has  a  $52  billion-a-year  information  technology  (IT)  budget  and  in  2002 
spent  $4.5  billion  on  IT  security,  a  64%  increase  from  the  year  before.^®  Depending  on  which 
report  one  believes,  the  government  owns  1 0%  to  20%  of  U.S.  cyberspace.'"'  Using  1 5%  as  an 
estimating  figure  (simply  averaging  between  10%  and  20%),  and  extrapolating  government 
security  expenditure  to  corporate  America,  the  latter  spends  about  $346  billion  a  year  on  IT,  of 
which  approximately  $29  billion  is  on  IT  security. Yet  reports  of  network  attacks  have  grown 
over  600%  since  2000.  While  one  could  expect  that  attacks  would  increase  as  the  usage  in 
cyberspace  grows,  if  security  measures  were  working  one  should  also  expect  successful 
attacks  to  decrease.  Either  enough  is  not  being  spent,  or  there  is  not  enough  capability  to  keep 
up.  Both  are  likely  true,  with  security  spending  lagging  behind  that  which  is  required  to  defend 
cyberspace,  regardless  of  the  advance  of  technology. 

The  consequences  of  a  lapse  in  cybersecurity,  or  not  keeping  pace  with  security  upgrades 
as  new  threats  emerge,  can  be  extremely  expensive  as  well.  In  late  summer  of  2003,  a  wave  of 
viruses  caused  an  estimated  $3.5  billion  in  damage.'®  If  cyberspace  users  think  it  costs  a  lot  to 
secure  their  systems,  the  cost  of  not  securing  them  could  be  substantially  higher. 

In  comparison,  for  the  price  of  just  a  few  hundred  dollars,  a  cyberattacker  can  purchase 
late-model  computer  equipment  and  conduct  direct  attacks.  More  likely  an  attacker  will  release 
a  virus  “into  the  wild’’"'  that  indiscriminately  attacks  a  majority  of  systems  in  cyberspace,  causing 
particular  targeted  systems  to  fail,  but  usually  via  denial  of  service  (DoS)  attacks.'®  The  rapid 
pace  of  technology  works  against  the  defender,  but  favors  the  attacker.  Costs  for  cybersecurity 
can  be  seen  as  almost  prohibitive  if  not  for  the  fact  that  access  to  cyberspace  today  is  a 
necessity,  and  security  expenditures  a  “necessary  evil.”  Essentially,  even  after  government  and 
corporations  have  spent  millions  of  dollars  to  secure  cyberspace  worldwide,  a  single  individual’s 
minimal  costs  in  personal  equipment  can  be  used  to  cause  systems  to  crash  causing  billions  in 
clean-up  and  lost  productivity'®.  So  despite  significant  monies  spent,  U.S.  cyberspace  still 
remains  inadequately  secured. 

GOVERNMENT  IS  RESPONSIBLE 

There  are  some  key  reasons  why  American  cyberspace  is  still  not  secured.  To  start,  the 
U.S.  Government  has  not  fully  accepted  its  responsibility  to  secure  it.  When  the  Bush 
administration  released  The  National  Strategy  to  Secure  Cyberspace,  critics  were  quick  to 
comment.  An  editorial  by  Silicon  Valley’s  San  Jose  Mercury  News  on  the  advent  of  the  National 
Cyber  Security  Summit  several  months  after  the  strategy’s  release  stated: 

The  national  strategy  is  a  watered  down  document  that  relies  almost  exclusively 
on  voluntary  measures,  education  and  awareness.  Industry  groups  fought  hard 
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to  keep  it  free  of  mandates.  There  are  no  requirements  for  basic  security 
measures,  disciosure  or  information  sharing.  There  are  no  demands  for 
cooperation  between  industry  and  government.  And  there  are  no  reai  incentives 
to  spend  resources  on  making  networks  more  secure  and  no  consequences  for 
faiiing  to  do  so.^" 

The  execution  of  the  strategy  after  its  reiease  has  been  deiayed,  and  biiiions  of  doliars  for 
cybersecurity  have  not  been  spent.  Additionaiiy,  the  newiy  formed  Department  of  Homeiand 
Security  (DHS)  has  been  busy  organizing  itseif.  As  a  resuit,  whiie  DHS  was  supposed  to  be 
ensuring  that  the  strategy  was  being  impiemented,  it  iacked  the  abiiity  to  focus  on  this  particuiar 
task.  Additionaiiy,  the  resignation  of  two  cybersecurity  directors  in  rapid  succession  ieft  it 
without  ieadership  to  push  the  strategy  forward.^^ 

Interestingiy,  the  “watered  down”  strategy  defiected  responsibiiity  away  from  government 
and  industry,  piacing  an  undue  responsibiiity  on  individuais.  Whiie  individuai  operators  have  a 
roie  to  piay,  chances  are  they  are  not  paying  attention  to  the  nationai  cyber  strategy.  Russ 
Cooper,  an  executive  with  the  Reston-based  TruSecure  Corporation,  was  quoted  as  saying, 
“Most  consumers  didn’t  buy  a  computer  to  become  geeks.  The  majority  of  them  are  stili  trying 
to  buy  things  from  eBay.” 

Government's  push  on  the  nationai  strategy  has  been  to  gain  consensus  from  the  private 
sector  on  impiementing  the  way  ahead,  much  iike  the  Ciinton  administration  did  for  its  Y2K 
pian.^’*  However,  in  comparison  toY2K,  government  made  three  key  mistakes  with  its  cyber 
strategy. 

First,  during  preparation  for  the  Y2K  roiiover,  government  pianners  made  sure  to  fioat  the 
pian  among  industry  officiais  so  that  they  buiit  consensus  as  the  pian  progressed.^® 
Unfortunateiy,  this  same  process  did  not  occur  with  the  nation’s  cyber  strategy  untii  just  before  it 
was  pubiished.  Consequentiy,  many  in  industry  baiked  at  its  recommendations,  causing  the 
current  administration  to  back  off,  thus  providing  many  voiuntary  measures  with  few 
voiunteers.^® 

Next,  government  has  not  ied  the  cybersecurity  effort  as  it  did  during  Y2K,  by  fixing  itseif 
first  before  insisting  that  others  foiiow  suit.  Prior  to  the  Y2K  roiiover,  government  demonstrated 
that  it  took  Y2K  seriously  by  examining  all  internal  systems  to  ensure  Y2K  compliance.  Where  it 
was  not  compliant,  it  upgraded  or  fixed  them  to  ensure  that  on  January  1 , 2000,  government 
would  not  stop  functioning.  Much  to  government’s  credit,  the  end  result  was  what  many  said 
was  the  biggest  non-event  in  computer  history. 

However,  in  contrast,  considering  the  effect  and  cost  of  four  recent  viruses  on  cyberspace, 
Slammer  ($1 .2  billion);  Code  Red  ($2.6  billion);  LoveLetter  ($8.8  billion),  and  Klez  ($9.0 
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billion)f®  these  can  hardly  be  dismissed  as  non-events  in  cyberspace.  Further,  while  it  appears 
that  the  power  blackeut  that  affected  the  northeast  this  past  August  2003  was  not  caused  by  a 
cyberattack,  there  is  increasing  evidence  that  the  Blaster  worm  plowing  through  cyberspace  at 
the  same  time  may  have  inhibited  power  companies’  recovery  from  the  blackout.^®  This  should 
put  everyone  on  guard. 

Knowing  full  well  when  the  natienal  cyber  strategy  was  produced  that  cyberattacks  have 
cest  billions,  at  the  end  of  2003  government  was  still  waiting  for  industry  to  do  something.  How 
long  does  the  nation  wait... until  the  “electronic  Pearl  Harbor”  or  “cyber  September  11”  hits? 
America  went  to  war  on  a  global  scale  when  the  physical  versions  of  these  two  attacks 
occurred.  Arguably,  those  who  have  operated  within  cyberspace  for  the  last  few  years  knew 
that  cyberwar  has  been  in  effect  for  some  time.  Perhaps  the  National  Cyber  Security  Summit, 
which  met  in  December  2003,^°  will  produce  the  required  synergy  to  finally  move  the  ceuntry 
ahead  to  a  more  secure  cyberspace.  The  concern  is  that  the  next  dangerous  attack  may  get 
here  before  then,  and  all  government  will  be  able  te  do  is  watch  and  react  because  it  has  not 
been  more  preactive. 

INDUSTRY  IS  RESPONSIBLE 

A  greater  reasen  cyberspace  is  not  more  adequately  secured  is  that  cerporate  America 
has  not  taken  effective  action.  With  80%  to  90%  of  the  nation's  cyber  infrastructure,  the  high- 
tech  industry  lebbied  intensely  against  mandatory  security  regulations  very  early  during  the 
Bush  administratien's  writing  of  its  cyber  strategy.  Industry  claimed  mandatery  measures 
weuld  be  too  costly,  especially  in  light  of  the  recent  downturn  in  the  economy, insisting  market 
forces  would  drive  them  to  choose  the  path  of  best  security.  The  Bush  administration’s  cyber 
strategy  had  plenty  of  recommendations  on  how  home  users  should  protect  their  systems,  but 
critics  ccmplained  Icbbying  done  by  tech  ccmpanies  “pulled  nearly  all  the  teeth”  frem  the  plan 
when  it  came  te  telling  cempanies  what  they  needed  te  do  to  protect  themselves,  omitting 
several  recommendations  contained  in  earlier  drafts.'^® 

This  should  not  be  surprising.  Industry  has  resisted  efforts  by  the  gevernment  to  regulate 
cyberspace  since  the  Internet  toek  shape.  Recent  debates  in  the  Congress,  in  the  media  and 
the  industry  itself  over  the  topic  of  taxation  of  cyberspace  have  been  another  touchy  subject.^'* 
The  Internet  is  looked  at  since  its  creatien  as  a  free-market  medium  in  which  not  only  the  trade 
of  goods  but  ideas  is  enceuraged,  and  its  users  see  any  gevernment  regulatien  as  an  affront. 
Here  at  home,  the  government's  cyber  strategy  has  sought  this  laissez  faire  approach  to 
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cyberspace,®®  depending  on  industry  to  take  voiuntary  security  actions,®®  though  government’s 
patience  may  be  wearing  thinP  ®® 

Unfortunateiy,  cyberspace  has  deveioped  a  dark  side,  where  behaving  badiy  has 
increased  proportionate  to  the  good;  and  whiie  most  users  are  benign,  one  maiignant  individuai 
can  make  things  unpieasant  for  the  rest.®®  Nonetheiess,  it  is  understandabie  that  industry  wouid 
resist  government  reguiation  that  takes  away  from  the  bottom  iine.  They  argued  prior  to  the 
reiease  of  the  nationai  cybersecurity  strategy  that  they  be  aiiowed  time  to  increase  security 
before  deaiing  with  government  reguiations.'*®  Yet  since  the  reiease  of  the  nationai 
cybersecurity  strategy,  attacks  are  up,  costing  American  cyberspace  users  biiiions.  Cieariy, 
industry  has  not  been  abie  to  provide  the  security  they  stated  they  wouid,  assuming  they  couid. 

This  has  gotten  the  attention  of  the  federai  government.  During  the  cybersecurity  summit 
hosted  by  four  pro-business  organizations  in  eariy  December  2003,  in  Siiicon  Vaiiey,  and 
attended  by  DHS  Secretary  Tom  Ridge,  the  government’s  message  to  the  tech  industry  was 
ciear:  much  stiii  needs  to  be  done,  and  industry  needs  to  get  serious  about  network  security  or 
face  iegisiation."*^  Robert  Liscouski,  Assistant  Secretary  for  Infrastructure  Protection,  was 
quoted  at  a  press  conference  during  the  summit  as  saying,  “There  shouid  be  no  mistake  about 
where  we  stand.  We  are  not  going  to  iet  anybody  who  operates  in  this  space  dodge  their 
responsibiiity,  and  I  wiii  be  sticking  my  finger  into  peopie's  chests  to  make  sure  they  iive  up  to 
their  responsibiiities."®®  Amit  Yoran,  the  recentiy  appointed  director  of  the  Nationai  Cyber 
Security  Division  at  DHS  was  aiso  quoted  as  saying,  “The  Nationai  Strategy  didn't  caii  for 
specific  pieces  of  iegisiation.  That  does  not  mean,  however,  there  is  no  roie  for  iegisiation.’"*® 

So  it  wouid  seem  the  U.S.  Government  is  iosing  patience  with  industry  on  its  siow  pace  of 
cybersecurity.  DHS  has  made  the  security  of  the  Internet  and  e-commerce  a  top  priority,  and  as 
Secretary  Ridge  stated  in  his  keynote  speech  at  the  summit,  “Terrorists  know  that  a  few  iines  of 
code  couid,  uitimateiy,  wreak  as  much  havoc  as  bombs.’’"®  The  signai  to  industry  invoived  in  e- 
commerce  and  cyberspace  shouid  be  ciear;  after  winning  an  initiai  reprieve  from  government 
intervention  mandating  better  cybersecurity,  government  is  sending  a  strong  message  to 
corporate  America  to  get  serious  about  it  or  intervention  might  soon  foliow."® 

What  remains  to  be  seen  is  whether  industry  responds.  It  has  not  to  this  point,  or 
successfui  computer  attacks  wouid  be  decreasing,  aiong  with  their  adverse  effects.  At  the  very 
ieast,  successfui  attacks  shouid  not  be  growing  at  the  rate  they  are.  Whiie  industry  has  formed 
its  own  organizations  to  iook  at  cybersecurity, and  owns  over  80%  of  the  country’s  cyber 
infrastructure,  the  infrastructure  is  very  compiex;  and  its  ownership  is  spread  among  many 
companies.  Can  industry  enact  voiuntary  standards  to  enhance  security  of  networks  and  the 
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information  traveiing  them,  especiaiiy  when  the  network  is  oniy  as  strong  as  its  weakest 
iink*^... without  government  intervention?  It  remains  to  be  seen.  At  the  very  ieast,  assuming 
industry  moves  fairiy  quickiy  in  the  right  direction,  it  may  require  government  to  heip  enforce  the 
standards  which  industry  creates.  The  bigger  question  may  turn  out  to  be  who  wiii  enforce  the 
standards  and  discipiine  those  who  do  not  cooperate?  Enforcement  has  usuaiiy  been  a 
governmentai  responsibiiity,  and  a  requirement  for  governmentai  codifying  of  the  standards 
through  reguiation  or  iegisiation  may  be  necessary. 

The  working  groups  formed  during  the  Nationai  Cyber  Security  Summit  in  December 
2003,  have  a  seif-imposed  deadiine  of  March  1 , 2004,"*®  to  produce  white  papers  outiining  their 
recommendations;  so  at  the  time  of  this  writing  the  question  of  whether  industry  can  respond 
remains  unanswered.  Even  then,  these  recommendations  wiii  have  to  transiate  into  action,  and 
the  question  wiii  stiii  remain  if  industry,  without  the  impetus  of  government  enforcement,  can 
reaiiy  make  them  work.  So  far,  the  iack  of  government  impetus  has  not.  In  the  meantime, 
American  cyberspace  remains  vuinerabie. 

INDIVIDUALS  ARE  RESPONSIBLE 

Another  reason  for  the  lack  of  cybersecurity  in  America  is  the  individual  American 
computer  user,  at  home  and  at  work.  Unfortunately,  most  computer  users  are  ignorant  about 
what  is  going  on  “under  the  hood”  of  their  personal  computer  (PC).  The  first  computer 
processor  developed  for  personal  computers  was  Intel’s  BOSS'*®  in  June  1979.  The  very  first 
version  of  the  BOSS  had  a  speed  of  4.77  MHz  (million  cycles  per  second).  Today,  one  can 
purchase  a  PC  with  a  processor  speed  of  over  3  GHz  (billion  cycles  per  second).  So  in  25 
years,  processor  speed  has  increased  over  62S-fold. 

Why  is  this  important?  As  quoted  before,  the  average  traveler  in  cyberspace  is  more 
interested  in  learning  to  buy  from  eBay  than  conducting  cyberattacks.  Nonetheless,  an 
unprotected  computer  is  an  opportunity  for  a  cyberattacker  to  exploit  without  the  computer 
user’s  knowledge.  Despite  the  possible  harvesting  of  sensitive  information  such  as  social 
security  and  credit  card  numbers,  the  more  dangerous  problem  is  the  Zombie,®®  a  computer 
exploited  without  the  owner’s  knowledge,  and  then  used  to  attack  other  computers  or 
cyberspace  at  large,  thus  hiding  the  attacker’s  identity.  The  most  prolific  problem  is  the 
unprotected  computer  infected  by  a  virus  which  then  propagates  itself  back  out  into  cyberspace 
at  a  rapid  rate,  causing  DoS  attacks.®* 

While  the  rate  of  computing  power  since  the  first  PC  chip  was  produced  has  gone  up 
exponentially,  and  the  number  of  computers  has  increased  proportionally,  so  has  the 
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operational  ease  of  computers  for  the  average  user.  Arguably,  anyone  of  reasonable 
intelligence  can  operate  a  modern  computer.  However,  while  the  early  PCs  were  simple  by 
today’s  standards,  computers  have  become  quite  sophisticated  and  efficient  instruments.  Not 
only  does  the  basic  user  not  fully  comprehend  the  power  at  his  fingertips,  he  also  does  not  fully 
appreciate  the  power  of  an  attacker  who  does.  Therefore,  can  the  everyday  user  continue  to 
remain  unaware  of  the  potential  power  to  do  ill  if  an  attacker  corrupts  his  computer?  It  may  be 
time  for  both  government  and  industry  to  step  in  to  help  the  user  be  safer,  much  the  way  it  did 
with  the  advent  of  the  automobile  and  airplane  over  a  hundred  years  ago.  Historically,  Big 
Brother  stepping  in  to  “help”  has  always  been  a  concern  with  Americans,  and  undoubtedly  will 
be  so  with  regulation  and  legislation  of  individual  private  cyberspace  users. 

In  all  fairness  to  government,  industry,  and  individual  users  alike,  the  rapid  growth  of 
information  technology  and  their  inability  to  keep  up  is  another  reason  cyberspace  is  still 
unsecured.  This  is  mostly  due  to  practical  financial  reasons.  Even  if  one  were  to  outfit  himself 
with  the  latest  IT  security  hardware  and  software,  these  would  be  regarded  as  relatively 
obsolete  within  one-and-a-half  to  two  years.®^  This  means  businesses,  or  anyone  for  that 
matter,  must  upgrade  continuously  to  stay  current  with  technology.  This  undoubtedly  can  be 
very  expensive  when  scaled  over  government  directorates  and  large  corporations.®’*  Not  only  is 
the  rapid  pace  of  technology  depleting  budgets,  it  is  outrunning  the  ability  of  lawmakers  and 
regulators  to  keep  pace. 

Even  technology  developers  struggle  to  keep  up  the  pace.  A  good  example  is  Microsoft’s 
Windows  operating  systems,  the  predominant  operating  system  platform  for  cyberspace 
users.®®  With  every  generation  of  faster  computers,  competition  among  software  developers 
like  Microsoft  is  driven  by  market  forces  to  put  newer  versions  of  their  bestsellers  on  ever-faster 
platforms.  Often,  the  result  is  software  released  before  all  the  bugs  are  eliminated.  Microsoft 
has  been  criticized  as  these  flaws  have  been  exploited  by  cyberattacks.®®  While  Microsoft 
releases  patches  to  correct  these  flaws,  many  users  remain  ignorant  of  the  necessity  to  install 
the  patches.  Even  local  area  network  (LAN)  and  systems  administrators  fail  to  apply  the 
necessary  patches  because  they  are  often  overwhelmed  by  the  enormity  of  the  task.  At  the 
bottom  of  this  heap  is  the  individual  user.  For  the  most  part,  individual  users  have  not  been  held 
accountable  for  failing  to  maintain  their  computer  with  up-to-date  security,  whether  on  the  job  or 
at  home.  This  may  be  the  weak  link  of  it  all,  and  probably  the  most  difficult  to  correct. 

Despite  the  seeming  omnipresence  of  computers  in  the  world,  cyberspace  is  still  very 
much  an  abstract  concept  to  most  users.  Many  managers  in  both  government  and  industry 
think  of  security  as  a  technology  problem.®*'  Some  believe  that  if  they  throw  enough  money  at 
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the  IT  department,  this  will  solve  the  problem.  Two  things  are  wrong  with  this  thought;  first,  this 
is  not  just  a  technology  issue,  but  mostly  one  of  management.  “  Technology  can  help,  but  by 
itself  is  not  the  solution.  Second,  especially  since  the  downturn  in  the  American  economy,  even 
if  a  technological  solution  were  available  money  has  not  been,  nor  have  many  corporations 
been  willing  to  spend  money  on  cyberdefense  in  tougher  economic  times  After  all,  with 
clamoring  stockholders,  the  bottom  line  is  what  is  important  to  corporate  America;  and 
unfortunately;  many  companies  think  that  they  are  not  vulnerable  to  cyberattack.  It  is  like 
buying  insurance;  how  much  does  one  need,  and  more  importantly,  how  much  can  one  afford? 

Government  is  less  of  a  concern  in  this  arena.  Yes,  money  and  the  amount  to  spend  on 
cyberdefense  are  and  should  always  be  a  concern.  However,  since  between  80-90%  of  all 
cyberspace  infrastructure  is  privately  owned,®"  one  could  conclude  that  it  is  industry’s  major 
responsibility  to  secure  cyberspace.  While  this  percentage  figure  seems  to  indicate 
government’s  piece  of  the  cyberspace  pie  is  only  1 0-20%,  this  does  not  account  for  the  amount 
of  infrastructure  leasing  the  government  does  from  the  private  sector.  So  while  the  government 
may  only  have  up  to  20%  of  the  total  infrastructure  outright,  it  depends  greatly  on  contracting 
from  industry  for  the  rest  of  its  needs.  The  point  is  that  government  and  private  network  are  so 
intertwined  and  interdependent  that  neither  could  function  well  if  the  physical  or  virtual 
architecture  of  cyberspace  was  successfully  attacked... especially  if  a  virtual  attack 
accompanied  a  physical  attack.®'  Therefore,  neither  can  ignore  the  other,  nor  assume  the 
problem  away  to  the  other. 

THE  WAY  AHEAD 

No  simple,  silver-bullet  solutions  exist  to  fix  cybersecurity  in  America.  It  will  take  a  lot  of 
work... and  a  lot  of  money,  both  in  government,  and  especially  in  the  private  sector;  and  most 
likely  will  cost  the  private  individual  user  as  well.  Because  of  the  complexity  of  cyberspace  in 
general,  the  solution  to  securing  it  is  just  as  complex.  Money,  politics,  and  personal  liberties  are 
all  going  to  be  of  concern  as  we  tighten  security;  and  the  politics  of  it  will  make  for  interesting 
debate.  Nonetheless,  what  follows  are  three  recommendations  to  improve  America’s 
cybersecurity. 

Much  as  the  Transportation  Security  Agency  (TSA)  was  created  out  of  necessity  to  better 
secure  air  travel,  the  U.S.  should  not  wait  to  create  a  like  agency  for  cyberspace  after  a 
successful  but  devastatingly  similar  attack  in  cyberspace,  especially  since  a  framework  of 
trained  and  experienced  professionals  exists  already  for  such  an  agency  in  the  newly-formed 
U.S.  CERT.  Further,  there  has  been  talk  of  doing  what  was  once  unthinkable,  creating  a 
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separate  gevernment  netwerk  (called  GevNeP)  to  better  isolate  government  from  the  dangers 
of  public  cyberspace. 

The  talk  should  cease.  It  is  now  time  to  establish  a  GovNet  with  one  agency  or 
organization  to  monitor  and  controi  it,  and  the  U.S.  CERT  is  a  good  piace  to  begin.  A  way  to 
initiaiiy  pay  for  it,  partiaily  if  not  entireiy,  wouid  be  from  cost  savings  of  consolidating  government 
IT  defense  organizations  into  one  network  command  and  control  hierarchy.  A  number  of  these 
organizations  exist  throughout  government  now,  but  operate  independently  of  one  another 
inside  the  various  agencies.  Over  time,  ail  U.S.  Government  agencies  wouid  migrate  from  what 
are  now  essentiaiiy  their  own  private  networks  to  the  GovNet.  Initiaiiy,  each  agency,  and  its 
own  network  operations  and  security  center  (NOSC)  and  CERT  capabilities  (which  many  also 
operate)  would  continue  to  maintain  these;  but  as  efficiencies  are  gained  the  total  number  of 
NOSCs  and  CERTS®^  would  decrease.®'*  In  the  end,  instead  of  a  number  of  NOSC/CERTs 
serving  separate  agencies  and  their  networks,  what  wouid  evolve  is  one  inter-agency 
NOSC/CERT  (a  U.S.  NOSC/CERT)  overseeing  aii  U.S.  Government  cybersecurity. 

Subordinated  to  this  wouid  be  a  number  of  NOSC/CERTs  in  a  regionai  approach  both  in  and  out 
of  the  U.S.,  much  iike  DOD,  which  aiready  has  NOSC/CERTs  per  each  geographicaiiy  aiigned 
combatant  commander.®® 

These  inter-agency  NOSC/CERTs,  under  the  iead  of  the  DHS  via  the  U.S.  NOSC/CERT, 
and  jointiy  manned  and  operated  through  inter-agency  cooperation,  must  then  have  the 
authority  to  require  aii  government  agencies  to  compiy  with  security  requirements  PRIOR  to 
connection  to  GovNet.  The  U.S.  NOSC/CERT  would  then  monitor  aii  GovNet  owned 
connections  to  the  Internet,  as  well  as  cyberattacks  developing  within  the  pubiic  domain,  giving 
advice  not  oniy  internaiiy,  but  to  the  pubiic  as  well.  If  threatened  seriously  enough,  it  couid 
isoiate  GovNet  from  the  Internet  temporarily  to  either  prevent  or  mitigate  the  threat  from  gaining 
entrance,  or  isoiate  itseif  to  prevent  an  internaiiy  introduced  threat  from  getting  out  into  the 
pubiic  domain.  The  primary  purpose  of  the  U.S.  NOSC/CERT  wouid  be  to  provide  unity  of 
command  and  effort  within  the  government’s  IT  community,  something  soreiy  iacking  at  this 
time. 

It  will  not  be  easy,  nor  cheap,  to  make  this  happen.  Neither  was  the  establishment  of  the 
TSA,  or  DHS,  for  that  matter.  However,  the  time  to  start  is  now,  before  a  major  cyberattack 
disrupts  the  government,  and  at  significantly  more  cost  vis-a-vis  1 1  September  2001 .  Much  has 
been  done,  especially  since  2001 ;  but  there  is  much  still  to  be  accomplished.  A  singie 
integrated  GovNet  managed  and  controiled  both  operationaliy  and  administrativeiy  by  a  U.S. 
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NOSC/CERT  and  its  regional  subordinates  would  do  much  to  improve  the  defense  needed,  but 
also  demonstrate  to  the  American  IT  world  that  government  is  serious  about  securing  itself. 

Government  must  then  compel  industry  to  comply.  It  can  start  by  re-writing  the  cyber 
strategy  with  industry  and  other  private  concerns  involvement,  but  with  the  necessary  “teeth”  to 
ensure  success.  A  key  part  of  the  new  cyber  strategy  must  include  a  timeline,  with  a  deadline 
that  all  can  work  towards.  If  voluntary  compliance  in  a  reasonable  timeline  cannot  happen  in  an 
agreeable  manner,  then  the  administration  must  introduce  legislation  into  the  Congress  to  force 
the  issue. 

While  public  and  private  engagement  is  a  key  component  to  the  national  cyberspace 
strategy,  government  cannot  hope  business  interests  will  necessarily  police  themselves.  While 
a  market  economy  will  police  itself  along  economic  lines,  it  assumes  fair  access  to  markets;  and 
today  that  means  via  cyberspace.  Legislation  and  regulation  will  be  necessary  to  require  all 
participants  in  cyberspace  to  take  the  minimum  amount  of  security  measures  necessary  and 
maintain  them  prior  to  connection  to  cyberspace,  and  most  certainly  after  connection. 

A  further  part  of  the  solution  is  the  integration  of  industry  into  the  U.S.  NOSC/CERT 
concept  as  a  full  partner,  including  manning  and  operational  costs  shared  by  both.  As  the 
current  U.S.  CERT  is  already  a  partnership  between  government  and  private  entities,  this  idea 
should  be  expanded  to  all  of  industry  as  well.  However,  assuming  industry  does  not  cooperate 
fully,  the  U.S.  NOSC/CERT  must  be  empowered  by  the  Congress  to  monitor  commercial 
cyberspace  to  ensure  compliance  of  basic  security  rules... after  it  has  also  declared  American 
cyberspace  as  public  domain,  because  of  its  present  (and  obvious  future)  necessity  to  the 
security  interests  and  economy  of  the  U.S.,  subject  to  the  same  regulation  and  licensing  as  is 
the  broadcast  spectrum.  Then,  further  empowered  by  the  Congress  with  the  authority  to 
regulate  industries’  connection  to  cyberspace,  including  internet  service  providers  (ISP),  the 
U.S.  NOSC/CERT  can  ensure  that  all  entities  in  the  public  domain  of  cyberspace  meet  basic 
security  requirements  before  connection.  Anyone  failing  to  do  so  could  be  disconnected,  much 
like  the  Federal  Communications  Commission  could  deny  broadcasting  authority  to  a  radio  or 
television  station  if  they  do  not  comply  with  federal  laws  or  regulation  as  it  applies  to  this 
industry.  Again,  there  is  no  attempt  here  to  understate  the  potential  controversy  or  subsequent 
difficulty  of  implementing  this  recommendation.  This  would  indeed  be  a  true  paradigm  shift  in 
cyberspace  management,  and  many  Internet  libertarians  will  scream  foul  long  and  hard. 
However,  the  alternative  leaves  a  potential  unacceptable  threat  to  national  security. 

Corporate  America  must  also  assume  their  responsibilities  in  securing  American 
cyberspace;  and  it  has  to  be  all  of  industry,  not  just  the  high-tech  companies.  Every  company 
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with  a  computer  system  connected  to  cyberspace  must  be  a  part  of  the  solution,  as  any  not 
participating  could  be  an  unsecured  threat,  and  thus  should  be  disallowed  from  participating. 
Industry,  by  default,  has  the  major  role,  as  they  are  the  majority  “stockholder”  in  cyberspace. 
Because  they  own  80-90%  of  the  nation’s  infrastructure,  there  can  be  no  denying  who  will  have 
the  most  work  to  do,  or  who  will  spend  the  most  money  in  the  process.  But  with  the  U.S. 
economy  as  the  engine  for  the  world  economy,  the  real  question  is  can  they  afford  not  to? 

The  obvious  answer  is  no.  Just  the  billions  of  dollars  spent  annually  in  consequence 
management  and  recovery  from  cyberattacks  ought  to  convince  industry  that  preventing 
cyberattacks  is  in  its  best  interest.  Acting  after  a  debilitating  attack  to  finally  get  serious  about 
cybersecurity  is  pointless,  and  ultimately  detracts  from  industry's  bottom  line. 

Finally,  but  potentially  the  most  problematic,  individual  computer  users  must  also  be  held 
accountable.  The  days  of  absolute  free  and  open  access  to  the  Internet  may  be  at  an  end. 
When  anyone  can  buy  a  high-end  computer  and  gain  broadband  access  to  the  Internet,  failure 
to  secure  a  computer  can  enable  it  to  be  used  to  launch  attacks  against  others.  The  analogy  of 
the  early  days  of  automobiles  and  airplanes  when  traffic  was  not  a  serious  safety  concern 
comes  to  mind.  Today  the  U.S.  has  over  38,000  traffic  fatalities  annually®^;  and  after  September 
1 1 ,  who  can  doubt  the  seriousness  of  controlling  where  and  how  airplanes  fly?  Considering  the 
strategic  importance  of  cyberspace  to  the  economy,  governmental  processes,  and  now  to  the 
American  way  of  life,  the  U.S.  cannot  allow  individual  operators  to  continue  to  navigate  through 
cyberspace  in  anonymous  bliss,  and  certainly  not  with  anonymous  ill  intent.  Just  as  drivers  of 
automobiles  and  pilots  of  airplanes  are  licensed,  it  is  now  time  to  license  cyberspace  surfers. 
Assuming  a  totally  benign  and  altruistic  cyber  world,  this  would  not  be  required.  However,  the 
ever-increasing  technical  sophistication  of  cyberspace,  and  more  importantly  the  increasing 
erudition  of  the  cyberattacker,  now  demands  that  one  should  know  who  is  operating  in 
cyberspace,  while  still  maintaining  the  same  privacy  rules  one  may  expect  when  driving  one's 
personal  automobile. 

The  licensing  of  individual  employees  on  the  job  would  be  done  by  their  employers,  who  in 
turn  are  licensed  to  access  the  public  cyberspace  domain  by  the  U.S.  NOSC/CERT.  Employers 
would  be  held  responsible  for  not  just  training  and  certifying  their  workers,  but  for  their 
employees'  bad  behavior  in  cyberspace,  just  as  corporations  are  held  accountable  for  workers 
who  are  extremely  negligent  in  their  duties  in  other  areas,  such  as  when  a  worker  driving  the 
company  delivery  van  commits  some  traffic  violation  leading  to  the  damage  of  property  or  injury 
to  other  individuals.  If  nothing  else,  it  would  be  just  a  matter  of  time  until  lawyers  would  begin  to 
specialize  in  this  type  of  cyber  tort  law. 
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With  private  cyberspace  users,  the  task  of  iicensing  wouid  go  to  ISPs.  Three  measures 
are  necessary  to  make  this  happen:  first,  the  anonymity  of  cyberspace  users  must  cease. 
Individuais  in  anonymity  tend  to  be  boider  than  when  they  are  personaiiy  identified.  Whiie  there 
is  merit  to  requiring  peopie  to  navigate  through  cyberspace  using  a  user  identification  containing 
their  reainame@domain,  each  user  should  instead  be  issued  an  eiectronic  signature  from  the 
ISP.  Not  only  will  this  deter  anonymous  surfers,  in  many  instances  electronic  signatures  have 
already  been  accepted  legally  as  the  electronic  equivalent  of  the  hand  signature.®®  This  allows 
use  of  an  electronic  signature  to  identify  people  when  necessary,  but  would  still  allow  them  to 
use  the  user  identification  of  their  choice,  allowing  some  privacy  like  that  conveniently  desired  in 
chat  rooms,  or  simply  surf  the  net  without  fear  of  identity  harvesting  by  cyberspace  defrauders. 
Only  the  ISP  would  be  able  to  identify  the  individual,  and  then  only  via  proper  legal  request  such 
as  a  search  warrant,  much  the  same  way  a  bank  safeguards  an  account  holder’s  private 
information  and  number. 

Next,  ISPs  would  issue  an  online  test  of  security  procedures,  rules,  and  laws  that  a  new 
user  must  pass  prior  to  issue  of  the  license  to  the  individual.  Once  a  passing  grade  is  achieved, 
the  individual,  for  a  fee  of  course,  would  be  issued  a  license  which  includes  the  digital  signature, 
the  ISPs  software  download  of  mandatory,  industry-produced,  U.S.  NOSC/CERT-approved 
firewall,  anti-virus  software,  and  other  security  software  as  the  ISP  and  possibly  the  U.S. 
NOSC/CERT  require,  with  mandatory  automatic  updates  of  this  software  by  the  ISP  for  the  time 
the  license  is  valid.  This  measure  alone  would  probably  greatly  reduce  the  number  of 
successful  cyberattacks  in  cyberspace. 

Once  again,  there  is  no  attempt  to  understate  the  controversy  and  difficulty  of  this 
proposed  recommendation.  The  process  of  licensing  individuals  for  access  to  cyberspace  will 
be  fraught  with  many  challenges,  not  the  least  of  which  will  be  criticism  of  encroachment  upon 
civil  liberties.  Additionally,  it  further  changes  the  paradigm  of  the  way  business  is  conducted  in 
cyberspace;  but  much  was  probably  the  same  when  highways  and  flyways  were  also  so 
originally  regulated.  However,  as  government,  industry  and  individuals  become  more  and  more 
dependent  on  cyberspace,  security  becomes  proportionally  as  important.  One  thing  is  certain, 
though;  the  U.S.  can  no  longer  allow  cyberspace  to  go  as  unregulated  as  it  has  been  to  date. 

CONCLUSION 

The  original  ARPANET^”  was  intended  for  use  by  researchers  and  academicians  to 
corroborate  their  scientific  findings,  and  so  the  inventors  of  this  predecessor  to  the  Internet  did 
not  foresee  nor  expect  that  anyone  would  intentionally  behave  badly.  But  just  as  many 
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American  pioneers  moved  west  to  find  new  opportunities,  so  did  the  associated  criminai 
eiement  move  with  them;  and  so  it  has  been  with  the  Internet,  ARPANET'S  successor.  Even 
today  the  Internet  is  in  many  ways  much  like  the  oid  west,  and  many  countries  in  the  worid  are 
debating  who  shouid  govern  it.^'  If  cyberspace  is  the  future  of  business,  then  as  more  and  more 
business  finds  itseif  conducted  in  this  newest  medium,  the  rate  of  reguiation  of  cyberspace  wiii 
probabiy  increase  proportionateiy. 

The  U.S.  as  a  whoie  is  stiii  not  doing  enough  to  secure  and  defend  cyberspace.^^  The 
strategic  impiications  of  this  shouid  be  ciear;  aii  sectors  of  American  society  are  now  dependent 
upon  cyberspace,  and  this  dependency  grows  rapidiy  daiiy.  Untii  now  cyberspace  has  existed 
with  reiativeiy  unreguiated  access.  However,  as  the  reiiance  on  cyberspace  grows,  the 
subsequent  requirement  for  security  aiso  grows  with  it.  We  must  now  take  at  ieast  the  minimum 
necessary  measures  to  better  secure  cyberspace,  or  continue  to  suffer  the  consequences  of 
computer  attacks  from  a  variety  of  threats.  The  U.S.  Government  must  first  set  the  exampie  by 
securing  itseif,  and  then  move  to  bring  industry  into  compiiance,  preferabiy  through  consensus, 
but  if  necessary  through  reguiation  or  iegisiation.  Whiie  government  shouid  dispiay  the 
necessary  ieadership  in  this  arena,  industry  has  the  great  majority  of  the  nation’s  infrastructure, 
and  therefore  wiii  bear  the  iargest  burden.  Finaiiy,  individuai  users  must  take  a  more  active  roie 
in  securing  their  smaii  part  of  cyberspace.  The  recommendations  contained  herein  may  not  be 
the  finai  soiution,  and  most  iikeiy  wiii  be  controversiai.  Nonetheiess,  they  provide  at  the  very 
ieast  a  point  of  departure  from  which  to  continue  the  debate  on  securing  American  cyberspace 
in  order  to  prevent  the  potentiai  digitai  Peari  Harbor  or  eiectronic  September  1 1  from  ever 
occurring. 
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Administration’s  website;  Internet;  available  from  http://www.fda.gov/ora/compliance_ref/part1 1/, 
accessed  8  February  2004.  Another  is  the  commercial  website  by  Rogers,  Joseph,  O'Donnell  & 
Phillips,  Attorney’s  at  Law,  available  from  http://www.rjop.eom/publish45.htm#intro;  Internet; 
accessed  8  February  2003.  Many  more  can  be  found  by  entering  “digital  signature”  in  any  of 
the  popular  Internet  search  engines. 

lnternet.com,  Webopedia,  (Darien,  CT :  Jupitermedia  Corporation,  2004);  available 
from  http://www.webopedia.eom/TERM/A/ARPANET.html;  Internet;  accessed  27  January  2004. 
According  to  Webopedia,  “The  precursor  to  the  Internet,  ARPANET  was  a  large  wide-area 
network  created  by  the  United  States  Defense  Advanced  Research  Project  Agency  (ARPA). 
Established  in  1969,  ARPANET  served  as  a  test  bed  for  new  networking  technologies,  linking 
many  universities  and  research  centers.  The  first  two  nodes  that  formed  the  ARPANET  were 
UCLA  and  the  Stanford  Research  Institute,  followed  shortly  thereafter  by  the  University  of  Utah.” 

Wong  Choon  Mei,  “Fight  Looms  over  Control  of  Internet,”  Yahoo!  News  Technology - 
Reuters  Internet  Report  1 6  September  2003  Oournal  on-line);  available  from 
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Even  as  this  paper  is  being  finalized  late  in  February  2004,  the  Congress  pressed 
DHS  on  cybersecurity  in  the  U.S.  Government.  Yahoo!  News.com  reported  on  24  February 
2004  that  Jonathon  Krim  of  the  Washington  Post  wrote;  “Sen.  Jon  Kyl  (R-Ariz.)  expressed 
surprise  and  frustration  when  a  Department  of  Homeland  Security  official  testified  that  his 
agency  has  not  compiled  a  comprehensive  analysis  of  vulnerabilities  to  cyber-attacks.  Kyl  said 
the  number  of  security  intrusions  reported  to  the  Internet  security  coordination  center  at 
Carnegie  Mellon  rose  from  84,000  in  2002  to  1 37,000  in  2003,  some  causing  millions  of  dollars 
in  damages.  Amit  Yoran,  who  heads  the  department's  cyber-security  division  formed  last  year, 
said  the  Department  of  Homeland  Security  takes  an  integrated  approach  to  all  terrorist  threats 
and  does  not  look  at  computer  vulnerabilities  in  isolation.  Asked  by  Sen.  Dianne  Feinstein  (D- 
Calif.)  whether  his  department  has  issued  any  directives  to  other  federal  agencies  about 
improving  security,  Yoran  responded  that  he  works  closely  with  them.  'I  take  it  the  answer  is 
no,’  said  Feinstein,  the  only  other  senator  to  appear  at  the  hearing  of  the  Judiciary 
subcommittee  on  terrorism,  technology  and  homeland  security,  which  Kyl  heads.  For  the  full 
article  see  Jonathon  Krim,  “Cyber-Security  Coordination  Lacking,  Senators  Contend,”  Yahoo! 
News  Technology-washlngtonpost.com ,  24  February  2004  [journal  on-line];  available  from 
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GLOSSARY 


ARPA 

Advanced  Projects  Research  Agency 

ARPANET 

Advance  Research  Projects  Agency  Network 

CAC 

Common  Access  Card 

ccTLD 

ceuntry  cede  Top-Level  Domain 

CERT 

Computer  Emergency  Response  Team 

CND 

Cemputer  Network  Defense 

CNO 

Cemputer  Netwerk  Operations 

CONUS 

Continentai  United  States 

DMA 

Department  of  Homeiand  Security 

DISA 

Defense  information  Systems  Agency 

DOD 

Department  of  Defense 

DoS 

Deniai  of  Service 

PARS 

Fataiity  Anaiysis  Reporting  System 

GNOSC 

Giobai  Network  Operations  and  Security  Center 

GovNet 

Government  Netwerk 

gTLD 

generic  Tep-Levei  Domain 

lANA 

Internet  Assigned  Numbers  Authority 

ICANN 

Internet  Corperatien  for  Assigned  Names  and  Numbers 

ISP 

Internet  Service  Provide 

IT 

Information  Technoiogy 

NOSC 

Network  Operations  and  Security  Center 

RCERT 

Regienai  Computer  Emergency  Reaction  Team 

RNOSC 

Regionai  Network  Operations  and  Security  Center 

TNOSC 

Theater  Network  Operations  and  Security  Center 

TSA 

Transportatien  Security  Administration 

U.S. 

United  States 

USA 

United  States  Army 

USACERT 

U.S.  Army  Computer  Emergency  Response  Team 

USANETCOM 

U.S.  Army  Network  Enterprise  &  Technoiegy  Cemmand 

USAWC 

U.S.  Army  War  Celiege 
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